Fortinet FORTIOS V3.0 MR7

FortiOS v3.0 MR7 SSL VPN User Guide

42 01-30007-0348-20080718

Configuring user accounts and SSL VPN user groups Configuring a FortiGate SSL VPN

7To activate the split tunnel feature, select Enable Split Tunneling. Split tunneling

ensures that only the traffic for the private network is sent to the SSL VPN

gateway. Internet traffic is sent through the usual unencrypted route.

8To override the Tunnel IP range defined in VPN > SSL > Config, enter the starting

and ending IP address range for this group in the Restrict tunnel IP range for this

group fields.

9If the user group requires web-only-mode access, select Enable Web Application

and then select the web applications and/or network file services that the user

group needs. The corresponding server applications can be running on the

network behind the FortiGate unit or accessed remotely through the Internet.

10 To enable client-integrity checking options, select from the following:

• Check FortiClient AV Installed and Running

• Check FortiClient FW Installed and Running

• Check for Third Party AV Software

• Check for Third Party Firewall Software

• Require Virtual Desktop Connection

The client-integrity checking options determine whether the FortiClient™ Host

Security application or other antivirus/firewall applications are running on the client

computer before a tunnel is established. The host-checking function is performed

by the ActiveX/Java Platform control, which is downloaded and installed on the

client computer the first time the client initiates the SSL VPN portal.

If there are no applications installed and enabled on the client computer, the

connection is refused. Table1 lists the products supported for clients who have

Windows XP SP2. All other systems must have Norton (Symantec) AntiVirus or

McAfee VirusScan software installed and enabled.

Note: If you configure a user group and define Restrict tunnel IP range for this group, the

group range is used in the SSL VPN configuration. If you do not define a range of global IP

addresses, you must define a group range. If you define both IP address ranges, the group

level range is applied to the configuration.

Note: The user account used to install the SSL VPN client on the remote computer must

have administrator privileges. If the user account does not have administrator privileges,

the installation will fail (with Windows, there will be no error message with a failed

installation). After the ActiveX or Java Platform control is installed, the client computer can

be used by a user who does not have administrator privileges.